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• SAFETY MANAGEMENT OF A COMPLEX R&D 
GROUND OPERATING SYSTEM 
James F. Connors* and Roy A. Maurert 
Lewis Research Center 


SUMMARY 


A perspective on safety program management has been developed 
for a complex R&D operating system, such as the NASA-Lewis Research 
Center. Using a systems approach, hazardous operations are sub- 
jected to third-party reviews by designated area safety committees 
and are maintained under safety permit controls. To insure person- 
nel alertness, emergency containment forces and employees are 
trained in dry-run emergency simulation exercises. The keys to 
real safety effectiveness are top management support and visibility 
of residual risks. 


INTRODUCTION 


Generally, everyone subscribes to the basic concept of safety; 
i.e., the protection of life and limb of personnel, the protection 
of facilities and equipment, and the minimization of disruption to 
operations. However, there also seems to be a certain amount of 
semantics and disparity involved in how the various agencies pur- 
sue, organize and manage against these noble objectives. Function- 
ally, safety is all pervasive! In the technology business, it en- 
compasses virtually all of the technical disciplines. To insure 
system effectiveness, safety surveillance of hazardous activities 
must extend from womb to tomb, or from concept through operations . 
j ljote : References 1 through 9 provide the literature backdrops 
against which the viewpoints and safety philosophies expressed here- 
in are made. Basically, the approach is from the perspective of 
safety program managers rather than ’'experts" in safety.. J 

What then is the so-called "safety man" or the safety engi- 
neer? Certainly, there is no single omniscient individual versed 
in all technical disciplines that can provide all the safety so- 
lutions. In working with complex systems, we must bring to bear 
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the best expert knowledge available to us and appropriate to the 
issues before us. For example, today when dealing with high pres- 
sure systems, we must necessarily involve one versed in fracture 

mechanics and fracture control one whose analyses and judgments 

we can rely on. With the systems approach, the safety officer’s 
job is more one of operations review, coordination, management and 
implementation of procedures. In the assurance of safety, he must 
achieve continuity of surveillance throughout the life cycle of the 
activity. Subdividing safety into system safety, aviation safety, 
industrial safety, public safety, etc., doesn’t appear to make much 
sense and only achieves jurisdictional gaps and overlaps. The 
safety man’s goal is to insure that the right questions are asked: 
Have all the hazards been identified? Are the controls adequate? 
What could fail? Once the right questions are posed, appropriate 
answers can be found or readily determined from studies. keyed to 
sound engineering judgment. 

The responsibility for overall safety is shared by all; how- 
ever, this responsibility increases with each echelon of super- 
vision and management, until it finally focuses on the "top man." 
Safety program implementation just doesn’t happen; it can only be 
done in the style and to the degree that top management supports 
the program. 

Safety necessarily involves the assessment and acceptance of 
certain minimum levels of risk. Management in its decision-making 
processes must have visibility of the residual risks and alterna- 
tives attendant to on-going operations. Hazards and the means for 
their control must be clearly identified, considered in appropri- 
ate trade-off studies and displayed to the management approval 
chain. 


COMPLEX R5cD OPERATING SYSTEM; LEWIS RESEARCH CENTER 

For the present purposes of discussion, the complex R&D ground 
operating system (referred to in the title) will be the NASA-Lewis 
Research Center. As an operating system, we will be referring to 
all in-house Center R&D plant operations. Hopefully, the safety 
principles and organizational approaches employed here may find in- 
terest and application to other field installations or other com- 
plex, potentially hazardous operations. 

Let’s first examine this particular field installation! The 
Lewis Research Center's R&D mission (figure 1) is focussed in 
three broad areas; (1) advanced propulsion systems, (2) energy 
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and power generation systems for both terrestrial and space appli- 
cations and (3) launch vehicles (primarily applications of the 
£LH 2 - LO 2 J Centaur stage in support of the unmanned space science 
programs). Included is the entire spectrum of airbreathing, chem- 
ical rocket and electric propulsion systems. Approximately 55% 
of the Center's resources are used in support of the aeronautics 
program. Essentially, Lewis is a gas-turbine engine, related tech- 
nology laboratory! The attendant diversity of potential hazards is 
truly enormous; for example, there are hydrocarbon fuels, cryogenic 
fuels and oxidizers, high-voltage plasma rigs, submicron powders, 
high-pressure and high -temperature structures and containment ves- 
sels, hard vacuum systems, high-speed rotating machinery, radio- 
activity, toxic materials, etc. Subsequently, it will be shown 
that 650 to 700 separate and diverse activities have been identi- 
fied as being hazardous and are under safety permit control. 

The Center's physical plant covers some 350 acres and is shown 
in the aerial photograph of figure 2. Probably the most unique, 
distinguishing characteristic of the Lewis Research Center is its 
central air process system. This is in evidence in the photograph 
by the large (five- to six-foot diameter) overhead lines that dis- 
tribute combustion air (up to 450 psi) and altitude exhaust to the 
furthest extremities of the Center. The prime movers for this 
system are 5- to 20,000 horsepower compressors and exhausters 
located in two main buildings ---the Engine Research Building and 
the PSL Equipment Building* From this central air system, approxi- 
mately 50 to 60 different research customers have process air 
conditioned and admitted to their research rig or facility. With 
some components more than 30 years old, the system was designed for 
versatility, economy and efficiency. In its operation, there is a 
high degree of flexibility achieved by the manual setting of valves 
to route the conditioned air to appropriate facilities; of course, 
there is an attendant price in complexity and hazard! This process 
air system is operated around-the-clock on a three-shift basis. To 
maintain order and efficiency, it is important that detailed and 
effective scheduling of facility operations be accomplished. 

Other major facilities that are identifiable in the aerial 
photo are two propulsion wind tunnels (a 10-by- 10-Foot Supersonic 
Wind Tunnel with speeds from Mach 2 to 3.5 and an 8-by-6-Foot 
Supersonic Wind Tunnel with speeds from transonic to Mach 2) . The 
PSL buildings include four altitude tanks in which full-scale jet 
aircraft engines are operated under various conditions of simulated 
pressure altitude. Program support aircraft are operated out of the 
hangar. In the upper right hand corner are two large space-environ- 
ment facilities for evaluating electric propulsion systems in simu- 
lated space flight conditions. There is also a zero-gravity facility 
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which consists of a vacuum chamber approximately 20 feet in diameter 
and 500 feet deep in the ground with a pneumatic accelerator located 
at the bottom. (On an up-and-down trip, experimental packages can 
achieve approximately 10 seconds of zero-gravity conditions.) There 
are some 140 structures at the Center with a plant value of about 
300 million dollars. 

Of course, one cannot run a plant and facilities such as these 
without people! The general array of personnel functions necessary 
to operate and manage such facilities are indicated in figure 3. 

The Center has a total complement of approximately 3,050; of these, 
approximately 1,350 are professional scientists and engineers . As 
indicated in the wheel chart, each major facility must operate with 
people organized in different functional groups. It is vital that 
effective communications and delineation of roles be achieved in 
order to establish a true safety awareness among personnel. Train- 
ing must be an essential and integral part of the safety program. 

PROGRAM APPROACH AND ORGANIZATION 

The Center then is made up of people and facilities! This is 
the investment that we must protect. The Lewis safety program 
cornerstones are identified in figure 4. As indicated, safety must 
start at the top with management support and visibility of the 
residual risks encountered in day-to-day operations. The safety 
program must reside on the sound engineering judgment of its most 
experienced and knowledgeable people. We have required that there 
be an overall systems approach adopted to the review of individ- 
ual operations. We must recognize the responsibilities of the R&D 
line management and at the same time achieve a parallel review 
channel reporting to top management. In effect, we are to estab- 
lish a third-party review process. It is essential that we have 
visibility and control of operations. In our case, this is done 
with a paper system- -the so-called "safety permit" system. The 
permit is a paper that stipulates the restrictions, precautions and 
requirements for operation and, thus, becomes a basic training and 
communication document between the technicians (who do the work) 
and the researchers (who generate the requirements). Obviously, a 
certain amount of safety documentation must be established and 
maintained. 

In organizing the safety program, the Center plot plan was sub- 
divided into seven geographical areas with boundaries established 
as indicated in figure 5. Each area includes a complex of facili- 
ties with some degree of operational similarities and requirements. 
Within each, six to eight knowledgeable experienced people are ap- 
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pointed by the Center director to form an area safety committee. 

By design, the membership of the committee is interdisciplinary in 
its makeup. These members serve on a part-time basis (perhaps, 
10-15% of their time on safety reviews and apart from their prime 
job assignments such as in research or operations. These area 
safety committees report to an executive safety board. The func- 
tions of the area safety committee are to effect the third-party 
review and to issue the safety permits. The permit is a paper re- 
flecting the concurrence of the area committee on the proposed 
safety plan and is simply a clearance to operate or to proceed with 
the activity. The executive safety board is responsible for the 
promulgation of safety policy, to resolve any impasse between the 
line and the area safety committees, and to provide visibility to 
the Center director of the overall safety posture of the Center. 
Functional advisory panels are also made up of specialists to co- 
ordinate and work with the various area safety committees. There 
are two standing accident investigation committees to determine 
facts and recommend corrective actions on accidents/incidents as 
they arise. The safety director is responsible for the operation 
and management of the Lewis safety office and wears an extra hat 
as the executive secretary (or the implementing arm) of the board. 


THIRD-PARTY REVIEW AMD APPROVAL PROCEDURES 

A flow chart of safety approval procedures is illustrated in 
figure 7 for Lewis in-house operations. As discussed earlier, the 
initial burden of developing the safety plan rests with the cogni- 
zant project engineer (PE) . It is his function to bring his pro- 
posed plan to the area safety committee for detailed review. Should 
there be established precedence and all questions and challenges 
pertaining to safety resolved, then a safety permit will be issued 
and the project engineer will find his activity clear to operate. 
However, if there are additional findings or unanswered questions 
by the area safety committee, there may be several iterations be- 
tween the area safety committee and line management before issues 
are resolved and a safety permit issued. Impasse and significant 
major risk assessment are to be passed on to the executive safety 
board and, in certain cases, major elements of risk or cost are 
referred with recommendations to the Center director for resolution. 
Keep in mind that there is an effort to restrict membership within 
the area safety committee to personnel outside direct line manage- 
ment responsibilities-°-so that, in effect, we don't have people 
reviewing their own work. In this way, we effect a third-party re- 
view parallel to the line. Ultimate responsibility and resolution 
of impasse rests at the Center director level. 
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SYSTEM SAFETY 


Much has been bandied about in the literature relative to "system 
safety.” Some confusion and, perhaps, suggestion of mystique (or 
cultism) seems to hang over it, particularly when one attempts to 
define system safety as being something apart from industrial or 
institutional safety, aviation safety, public safety, etc. If one 
accepts the definition of system safety as suggested in figure 8, 

”a reasoned approach logic based on facts and engineering 

judgment a systematic study to identify all potential hazards and 

to determine means to effectively control or eliminate the hazards," 
then system safety is the name of the game and adequately describes 
our approach to Lewis in-house operations. 

System safety tools/ techniques can be useful in analyzing, 
focussing, displaying and dealing with potential hazards. Some are 
listed in figure 8 and are defined herein in the Appendix. Com- 
plexity of the system will obviously determine the depth and so- 
phistication of the safety analysis. This is again a matter of 
judgment; obviously, a simple bell-jar-type activity would not in- 
volve as much detail as a full-scale engine in a major test facil- 
ity. The efficacy of system safety analysis can only be measured 
in terms of its impact on the decision-making process. As a matter 
of policy and procedure, an operational readiness inspection (ORI) 
is required before any new activity is initiated. .. this is the 
final check of the system before committing it to operation! 


DEVELOPMENT OF THE SAFETY PLAN 

Development of the safety plan is the first responsibility of 
the project engineer . Elements to be considered in a comprehensive 
plan are suggested in figure 9. For most operations, the technical 
literature is replete with safety guideline information in the way 
of standards, operating manuals, codes, research data and related 
experience. This is then the safety data bank! In each case, how- 
ever, the main concern is for the proper and precise matching of 
environmental parameters found in the cited literature with the 
proposed test conditions. Here again engineering judgment must 
prevail! Where appropriate data does not exist, analytic studies 
and proof testing must be initiated at system, subsystem or com- 
ponent levels. 

This perspective on safety standards is further illustrated in 
figure 10, Operations that are fairly routine or for which adequate 
precedence has been established can be handled as depicted verti- 
cally on the left side of the chart. With appropriate citations 
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and reference to data bank information, project safety decisions 
are made through line management with the safety organization (S/0) 
responsible for monitoring, liaison and technical reviews. 

New technology, first-of-its-kind projects with little or no 
precedent information, must be handled with more detailed physical 
evaluations as depicted vertically on the right side of figure 10. 
In these instances, proof-type environmental and stress testing 
down to the component level must be done in order to reduce the 
residual risks to a minimum. An important requirement on devia- 
tions from conventional or previous related practice is the docu- 
mentation of the technical justification or engineering analysis. 
Documentation of successful safety practice becomes guideline 
information for subsequent similar operations, until with enough 
experience behind us we can recognize the merit of specific pro- 
cedures and propose them for consideration as safety standards. 

An illustration of this might be the Lewis Hydrogen Manual (ref- 
erence 9) which basically is a compilation of Lewis pioneering 
procedures and practices in the handling of liquid hydrogen. Doc- 
umentation of the final decision rationale is essential since it 
in turn becomes the basis for work specifications and safety rules. 
It also becomes the training vehicle by which we explain the pre- 
cautions and environmental constraints to the technicians who are 
to perform the work. 


SAFETY PERMIT SYSTEM 

In applying for a safety permit, the project engineer must fill 
out a standardized request form (figure 11 and ll[V}). For hazard- 
ous operations, this form is designed to achieve some semblance of 
uniformity in detailing, categorizing and quantifying the hazard 
and the proposed safety precautions. Key information would include 
delineation of environmental test conditions (pressure, temperature, 
voltage, frequency, flows, etc.), materials problems (chemical com- 
patibility, toxicity, radioactivity, etc.), sensing and detection 
equipment, emissions and effluents, and specified safety precautions 
for certain posed situations. An important block to be filled out 
is the one indicating precedence for the particular type of work; 
in essence, we don't attempt to reinvent the wheel every time! 
Signatory blocks are also provided for use by line supervision. 

Backup supportive analyses and documentation (including crit- 
ical system drawings) must be submitted to the Area Safety Commit- 
tee for review and approval. Upon concurrence of the operating 
plan, a safety permit (figure 12) is signed by the chairman, issued 
and posted in a conspicuous place at the operational site. State- 
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merits on the permit briefly describe the activity and stipulate the 
safety requirements and the imposed operational restrictions. These 
safety specifications then become required basic training for the 
supporting technician staff, who are under instructions not to per- 
form work outside the scope of or not covered by a safety permit. 

All permits must be renewed and updated at least annually. 

Because of the great diversity of hazardous activities around 
the Center, each safety permit is color coded to provide a quick 
ready reference for plant protection personnel who might be called 
in to fight a fire. The code simply specifies as follows: 

Green: ( No unique firefighting techniques are required.) 

Take action - use Water, Dry Chemicals or CO 2 . 

Yellow: (Fire involving liquid metals, high voltage, etc.) 

Take action - use DRY chemicals ONLY. 


Red: (Unique - potential high explosive, high toxicity, 

nuclear radiation, etc.) 

Take action ONLY after advice of a knowledgeable 
person (i.e., project engineer). 

In all cases, copies of current safety permits are also maintained 
by the plant protection staff and become an integral part of their 
building inspection patrols and pre-fire planning exercises. 

To track the safety permits for operational location and 
currency, an automatic data processing (ADP) system is inputted 
by local supervisors (Technical Services Building Managers) and 
monthly printouts are provided, A sample page of the Facilities 
Utilization Report is shown in figure 13. For each building and 
room around the Center, operational tasks are described along with 
safety permit coverage and expiration dates. Safety concerns and 
utilities available to the area or room are also designated in 
accordance with the legend at the bottom of the page. Expired 
permits are removed from the site and the operations or work stopped, 
until renewal is effected through appropriate channels. 


CENTER SAFETY OVERVIEW 

A representative monthly report summary is shown in figure 13 
(a) . In effect, we have a compilation of known hazards and a snap- 
shot of the operational status for the many rigs around the Center! 
For example, at this particular time there were 380 high-voltage/ 
high- amperage operations, 94 hydrogen rigs, 22 activities employing 
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450 psi combustion air, 158 operations using natural gas, etc. Of 
the 1136 activities reported, 103 are designed for unattended 
operations. There were also 104 permits that would expire within 
this reporting periods This Facility Utilization Report is an 
excellent operational tool for the building manager and provides 
some overall top management visibility of the safety program. 

With a great range and diversity of operations occurring in a 
relatively congested area, proximity factors become important in 
considering the potential for chain-reaction effects, wherein one 
accidental failure (or energy release) can, in turn, trigger yet 
another accident. A cursory "domino effects" study (based on Armed 
Services Explosive Safety Board quantity- distance criteria) was 
made of the Lewis fuels, oxidants and gas storage depots (as shown 
in figure 14), Separation distances, personnel evacuation zones 
and barricades to remove line -of -sight shrapnel were evaluated for 
conformance to standard practice and Center policy. Further de- 
tailed studies are required. With the level of complexity, other 
potential paths for accident propagation are open and must be taken 
into account in achieving a systems approach to all safety reviews 
of Center activities. 


EMERGENCY CONTAINMENT TEAM 

Personnel available to aid in emergency containment are shown 
on figure 15. The first echelon to combat any engineering situa- 
tion is the in-house plant protection staff consisting of 24 full- 
time personnel who are charged with manning firefighting equipment 
and emergency vehicles. Their backup, second-level reserves are 
auxiliary emergency reaction teams, consisting of 50 other employees 
who are trained in emergency rescue, firefighting and first aid 
techniques and are assigned on-call emergency support roles via 
their job descriptions. In a major fire (or aircraft accident), 
municipal (or airport) fire-fighting forces would also be called in. 
In personnel injury situations, the Lewis Medical Services (a full- 
time doctor and two nurses) are available. 

How do we insure that the emergency team performs as a well- 
oiled machine? One general observation that seems to prevail in 
the aftermath of most accidents is that a written operating pro- 
cedure or specification had previously existed on paper describing 
a proper safe way of doing the particular business. It is obvious 
that the mere generation of paper does not in itself constitute a 
safety program. It is but a step! 
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PROJECT "STEEP" 


In most instances, accidents involve people — human frailties, 
errors of omission or commission. Safety instructions too often 
are not read, or read but soon forgotten. To circumvent this 
shortcoming, Lewis safety training policy is aimed at achieving an 
aggressive continuing program of instruction and exercise (or dry- 
run emergency drills) tailored to the needs and activities of par- 
ticular divisions,. Such are the objectives of Project STEEP (Safe- 
ty Training in the Execution of Emergency Procedures) as represented 
in the logo of figure 16 . 

Project STEEP is aimed at developing the team concept in achiev- 
ing an efficient fast response to posed emergency situations. It 
requires delineation of roles to be carried out among interfacing 
groups working in a given area; e.g,, mechanics and engineers. Sim- 
ulation drills will be conducted and designed to exercise the 
"teams" in appropriate procedural details. A system of communica- 
tions is all important! The range of STEEP activities might include 
such exercises as the use of the emergency call system, area evacu- 
ation procedures, first aid and heart resuscitation techniques, 
general housekeeping, fire-fighting, explosion protection, opera- 
tions in emergency protective gear such as the Scott air-pack, 
radioactive or toxic releases, etc. These must be coordinated 
efforts between Plant Protection, Medical Services, the Safety 
Office and the line organizations. 

Examples of planned, organized emergency simulation training 
exercises under Project STEEP are shown on figure 17. The first 
rule in any emergency is to effect a rapid orderly building evac- 
uation of all personnel. The response is timed, evaluated for 
procedural deficiencies and reviewed post-facto with the designated 
evacuation monitors. Key operating personnel are trained in first 
aid and cardiovascular resuscitation. Mock disaster exercises are 
held to review these techniques and to put into practice personnel 
rescue procedures. To simulate an actual case, hot fire drills are 
conducted periodically. Here, plant protection crews work out with 
"light water" (AFFF) hoses on a gasoline pool- type fire. Emergency 
reaction team members also participate in the hot fire drills (as 
do municipal firefighters, at times) and learn to operate the emer- 
gency equipment. Here you see them throwing water and running 
flow tests on the equipment. 


CONCLUDING REMARKS 

In closing, the effectiveness of any safety program must rest 
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on the support of management and the interest and motivation of the 
employees. It must be so ingrained in everyone’s mind as to be 
recognized as the only way to effectively accomplish the business, 
Sound engineering judgment has to be the backbone of the safety de- 
cision-making process. While documentation and paperwork (figure 
18) in itself doesn’t make a safety program, a certain amount be- 
comes essential in providing top -management visibility of the safety 
issues and the residual risks in operations. It is, perhaps, most 
important in working with unique high-energy R&D facilities, such 
as we have discussed here. Essential safety documentation can prob- 
ably be best defined by post-accident investigation criteria. Sim- 
ply, how well were the risks recognized, considered, sized and 
managed? At Lewis, the Executive Safety Board minutes are the prime 
vehicle for safety overview information. It is the means by which 
management obtains some visibility of residual risks in its over- 
all plant operations. 



APPENDIX 


SYSTEM SAFETY TOOLS /TECHNIQUES 

As extracted from the referenced literature, the following assur- 
ance tasks are defined herein to clarify terminology and to illus- 
trate the. logic and analytic methodologies of system safety: 

0 Hazards Identification and Criticality Ranking: 

An examination is made to determine all potential 
hazards that might be the result of inherent 
properties or characteristics of equipment, material 
or human failures, or environmental stresses. It 
includes consideration of the interrelationships of 
primary, initiating and contributory hazards and all 
pertinent circumstances involved in system operations. 

Hazards are then categorized in order of criticality, 
such as (1) potential loss of life, (2) potential 
mission failure, (3) delay or loss of operations and 
(4) excessive unscheduled maintenance. 

$ Preliminary Gross Hazards Analysis: 

In the initial phases of development (e.g., siting 
considerations for hazardous operations or facil- 
ities) , significant energy sources are identified, 
quantity-distance criteria are taken into account 
and methods are selected for containment and con- 
trol of these energy sources. 

^ Worst Case Analysis; Maximum Credible Accident: 

A system in its operational lifetime is exposed to 
environments, processes, conditions and loads of 
varying magnitudes. The stresses and effects pro- 
duced will differ at various times. All of these 
and their interrelationships are analyzed for the 
worst case conditions that could exist, the most 
serious hazards, and the most damaging effects that 
could be produced. The term Maximum Credible Acci- 
dent is employed to indicate the worst-case con- 
dition that can reasonably be expected to occur. 

The probability may be extremely low, but not so 
low that it would be impracticable to incorporate 
suitable safeguards in the system. 

® Design Reviews; Fail-Safe Design Philosophy: 

This is the independent review and determination 
of the adequacy of design with respect to its 
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intended functions. This review activity should be 
performed on both a continuous and discrete basis. 

Safety aspects of the design which are deemed in- 
adequate are subjected to a disciplined procedure of 
responsible follow-up to assure that corrective 
action is taken, documented and verified for efficacy. 
Special problem areas within the design are reviewed 
and trade-off studies initiated as required to solve 
these problems. Documentation of the design review 
is required with a complete list of all action items 
resulting from the review. Design reviews should be 
conducted at various points during the design; a pre- 
liminary design review during the early stages of 
design, a critical design review near the end of 
design, an operational readiness review, and a final 
design review after the equipment has been placed in 
operation plus informal design reviews throughout 
the program. The design reviews provide project 
engineering and program management with the neces- 
sary visibility to determine problem areas actual or 
potential, as well as possible resolutions to these 
problems. 

Since failures will occur, fail-safe arrangements are 
another means to prevent disabling of a system or to 
prevent a catastrophe involving major damage to equip- 
ment, injury to personnel or degraded operation. Fail- 
safe design insures that occurrence of a failure will 
leave the system unaffected or converted to a state in 
which no injury or damage can result. Fail-safe 
designs can be categorized into three types: 

(1) Fail-passive arrangements reduce the system 
to its lowest energy level. 

(2) Fail- active design maintains an energized con- 
dition that keeps the system in a safe mode 
until corrective action occurs. 

(3) Fail- operational arrangements allow system 
functions to continue safely until corrective 
action is possible. 

^ Development Test Analysis: 

Design uncertainties are resolved and design decisions are 
finalized by a means of the results of development tests. 
The development test program (including the test procedures 
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as well as the test results) is an excellent source of 
system effectiveness, strength and efficiency information. 
This analysis should be a vital adjunct to the system effec- 
tiveness assessment activity. 

Failure (Hazard) Mode and Effect Analysis: 

This is a system analysis which is initiated in the early 
stages of design and considers the mode (function), the 
mechanism “(hardware /software) and cause (chemistry, physics 
or human) of possible failures together with the effects of 
such failures on the system operation, consequence of fail- 
ure to the system objectives, probability of occurrence for 
each possible failure, deterrents to obviating the failures 
from occurring, and all corrective action required to pre- 
vent the failures from happening. A tabular analysis is 
prepared for systems, subsystems, components or parts. It 
is initiated in the early stages of development and/or 
design but is continually updated throughout the life cycle. 
During early conceptual studies, this analysis is used to 
delineate, in order of severity, those critical functions 
and related hardware which can lead to specific consequences 
to given mission objectives and/or crew/ personnel safety. 
During the developmental phase, the F(H)MEA is a primary 
tool for design evaluation. The analysis is later used 
during the test phase as an input for checkout procedures 
and test emphasis as well as fault isolation. In the oper- 
ational phase, the F(H)MEA aids in selection of alternate 
modes of operation under primary failure as well as in 
preparation of both prelaunch and inflight diagnostic pro~ 
cedures. Logistically , the analysis finds application in 
determining allocation of spare parts and selection of 
field personnel. 

Fault Tree Analysis: 

This graphic analysis traces by means of Boolean symbology 
the relationship of all minor events which contribute to 
the occurrence of a major undesired event in a system. 

This analysis has two major elements. The first is the 
logic diagramming, known as a Fault Tree, which connects 
by means of "and” and "or” gates events (known as sub- 
events) which contribute to the terminal undesired event 
of interest. The second element consists of the subevents 
themselves. These subevents are normally limited to the 
’’what" of an incident rather than including how, why, who 
or where. While the FTA is a decisionary tool, it is 
primarily a motivational tool during early system con- 
ceptual activity. The full merit of the FTA is not real- 



ized until the development phase because the branches 
of the Tree cannot be traced to sufficient depth to 
influence design., During this phase, the emergency of 
certain paths as being more critical than others causes 
designers to revise their approach. A unique purpose of 
the FTA is to provide a system view of the impact of an 
undesired event, thus allowing every person who contributes 
, to a system to see and understand how they might be conse- 
quential in an undesired event. 

© Life Testing: 

A comprehensive test technique, life testing examines and 
verifies the deleterious effects of long term steady-state 
operation of equipment. Also, the testing verifies the 
effects of storage and shelf-life aging of components. 

Both life testing and stress testing should utilize statis- 
tical design-of-experiment techniques in test planning to 
facilitate objective analysis of the significance of varied 
test conditions upon the parameters tested and to maximize 
information per dollar from test programs. Good techniques 
to compress life testing in a meaningful way are needed. 

The specific purposes of life testing are to demonstrate 
the life expectancy of the hardware under normal operating 
conditions of load and environment; to determine the 
effects of storage of the hardware in a nonoperating mode 
under actual or simulated storage environments; and to 
determine the shelf-life of the hardware considering non- 
metallic materials aging, lubrication deterioration or loss 
of lubrication, metal migration, and other related factors. 

0 Environmental Stress Testing: 

This test technique is applicable to system elements which 
are more sensitive to environmental stresses than to long- 
term operation. Design margins are determined by means of 
testing to failure under specified conditions of stress. 
This approach is applicable to those items which are not 
destroyed at each level of stress in order to observe their 
response(s). Stress testing relates failure rates to oper- 
ating stresses under controlled or measured environments. 
The stress environment must represent the true environment 
to provide meaningful results. These data are used as 
inputs to establish functional relationships between fail- 
ure behavior and associated parameters under various time 
and stress conditions. Then, the functional relationships 
are utilized for comparative evaluations of new processing 
techniques and new device types, realistic initial and end- 
of -life- specification: limitsy : and parametric prediction of 
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failures . 


• Trade-Off Studies: 

"" This task covers the establishment of system effectiveness 
requirements and capabilities in various times during the 
system engineering process. A uniform and identifiable 
process is required for logically comparing total system 
effectiveness regardless of system purpose, size, or com- 
plexity. This task must produce quantitative or proba- 
bilistic results if it is to be a decision-making tool., 

The measures of effectiveness should be based on mission 
objectives. These measures, together with other compar- 
isons such as total system cost, are used as inputs to 
the decision-making process for choice of best alternative 
This occurs at all stages of the system engineering proces 
that is a part of every new or upgraded equipment acquisi- 
tion and operation. Trade-off studies completed in the 
concept definition phase are used to arrive at the best 
concept. Major decisions are made at the system level as 
to which concept is the most feasible in terms of effec- 
tiveness, cost, and all other criteria necessary for de- 
cision. Trade studies are used during system definition 
phase to aid in selection of the best alternatives for 
use at the subsystem and component level, and during 
design definition to design level decisions. 
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Figure 6 - LEWIS SAFETY ORGANIZATION 






















Figure 7 - LEWIS IN-HOUSE SAFETY APPROVAL PROCEDURES 
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Figure 8 


SYSTEM SAFETY ANALYSIS 

- a reasoned approach or logic based, on facts and 
engineering judgments to define clearly the safety 
issues and alternatives for effective decision-making 

a systematic study to identify all potential hazards 
and to determine means to effectively control or 
eliminate the hazards 
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Figure 10 - PERSPECTIVE ON ’’SAFETY STANDARDS" 
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Figure 14 - "DOMINO EFFECTS 11 STUDY 
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Figure 17 - EMERGENCY SIMULATION EXERCISES 


BUILDING EVACUATION 


MOCK DISASTER 



Figure 18 

SAFETY DOCUMENTATION 


• Operational Safety Policy (distributed and issued as 
a Lewis Management Instruction) 


© LeRC Operational Safety Manual 


• Safe-T-Grams , safety training reports, safety statistics 
and accident reporting 


9 Requests for safety /health operating permits (identi- 
fication of hazards, analyses, safeguards, and 
operating restrictions) 


# Safety permits (posted in all potentially hazardous 
operating areas) 


9 Facility ad hoc committee reports on safety and 
operations. SAR's. 


9 Executive Safety Board minutes (management information, 
coordination, policy, and overview). Overall Center 
risk assessment. 





